Attacking Democracy: Should DDoS Be Considered a Legitimate Form of Protest?

It used to be that news about DDoS attacks was largely limited to tech websites and other specialized information sources, where the focus was on attack vectors, attack sizes, how exactly the perpetrators pulled it off and how websites could protect themselves going forward. These still have their place, especially with the ever-increasing size, complexity and frequency of attacks, but over the last few years DDoS has gone mainstream and gotten political.

With DDoS attacks appearing in headlines regarding the U.S. election, Brexit and the push for democracy in Hong Kong, the question has to be asked: should these attacks be considered a legitimate form of protest?

DDoS attacks have been in the mainstream news for the last couple of years. This is because of how pervasive they’ve become, with nearly every website on the Internet now a potential target thanks to DDoS for hire services and DDoS ransom notes, and also because of the high-profile sites that have fallen victim to attacks, including Netflix, PayPal, Twitter and Reddit. Now DDoS attacks stand accused of involvement in some of the biggest political events in recent history.

Recent political incidents

Distributed denial of service attacks hit the political headlines in 2014 when the people of Hong Kong were in the midst of a major push for democracy, asking for genuine universal suffrage instead of the newly-reformed system that allows citizens to vote for candidates selected by an exclusive nominating committee – a system that seemed overly restrictive as well as too similar to the previous system in which the Chinese Communist Party selected the candidates.

When the democratic movement’s official website launched, it logged 680,000 votes in an unofficial poll on candidates in the site’s first weekend despite the fact that it was being battered by DDoS attacks weighing in at over 300 Gbps. Though a perpetrator was not definitively named, it was widely speculated the Chinese government was behind the attacks.

In a recent report, the Chinese government has come up alongside the Russian government in rumors surrounding the Brexit vote. In the hours before the deadline to register to vote in the Brexit referendum, the registration site crashed, reportedly due to a DDoS attack. The outage left tens of thousands of voters unable to register to vote, and the referendum ended with 51.9 percent voting to leave the European Union.

Though the Russian government has been suspected of meddling via hacking in both the U.S. and French elections, reportedly in favor of Donald Trump and Marine Le Pen, it’s unknown if the Kremlin was involved in DDoS attack attempts on either Hillary Clinton or Donald Trump’s website; it seems more likely these Mirai botnet-powered attempts were instead the work of hackers from underground forums.

The argument for recognizing DDoS as legitimate (and legal) protest

The history of distributed denial of service attacks go all the way back to 1995 when an Italian collective brought down the French government’s website in protest of France’s nuclear policy. Soon after, a group by the name of the Electronic Disturbance Theater built a tool that enabled anyone to join their virtual sit-ins that targeted the White House website as well as the websites of politicians.

Current hacktivist group Anonymous has taken the idea of the virtual sit-in and turned it into a voluntary botnet that allows anyone to donate the use of their device for attacks against targets like the Brazilian government in protest of the FIFA World Cup.

These actions would seem to fit the criteria of legal protest, allowing citizens to peacefully albeit virtually demonstrate and rendering a website unavailable in much the same way a sit-in would render an office or institution unavailable. However, in the United States this kind of online activism can be considered a felony.

The argument against

Not only are DDoS attacks illegal, regardless of whether or not the attack is intended as a form of protest, but legitimizing or legalizing these attacks may cause more problems than it solves. For instance, while an opt-in botnet does seem to be a form of voluntary political activism, almost all botnets are populated by devices that have decidedly not opted in, which means politically-motivated DDoS attacks would be largely perpetrated using the property of people who have not consented. Like signing someone else’s name to a petition, this cannot be permitted.

Furthermore, any legislation attempting to legalize DDoS protests would have to find a way to differentiate between attacks coming from voluntary botnets and attacks coming from nation states. A murky area, at best.

With so many other forms of protest available to motivated citizens, it’s hard to imagine legalizing or legitimizing any form of DDoS attack. It’s just too easy for these attacks to be used for altogether nefarious and malicious purposes by groups that decidedly do not represent the will or wishes of the people.